npm CLI 11.15.0 stages a tarball for maintainer 2FA approval before it hits the registry. Plus --allow-* install controls and how they differ from release-age gates and allowScripts.
postcss, nanoid and browserslist all ship from one npm account: 964M downloads/week, no provenance. Not a breach but a single-publisher risk — what moved to staged releases, and what to check in your lockfile.
Chainguard has blocked 52,000+ npm packages as malware or greyware, scanning 100,000+ a day, catching README-honest credential CLIs that release-age gates and npm v12 miss.
On June 17, 2026 Mastra's @mastra/* packages were re-published with an added easy-day-js dependency whose postinstall runs a RAT at install. Counts: 116 official vs 143–144 external.
npm v12 blocks preinstall/postinstall scripts and implicit node-gyp unless approved. Use npm 11.16.0 approve-scripts, allowScripts, --allow-git, and --allow-remote before CI.
GitHub disabled 73 Microsoft repos after an Azure/durabletask commit. Miasma used Claude Code, Gemini CLI, Cursor, and VS Code config, not npm install.
TrapDoor planted 34 packages across npm, PyPI and Crates.io to steal Solana/Sui/Aptos wallet keys. Each registry fires differently: postinstall, import-time, and Rust build.rs.
The May 19 Mini Shai-Hulud wave compromised 314 npm packages under @antv via the `atool` maintainer account. After rolling back lockfiles, payload entry points stay behind in .claude/settings.json SessionStart hooks, .vscode/tasks.json folderOpen tasks, systemd user services, and .github/workflows/codeql.yml. Concrete IoCs and the gh-token-monitor wipe ordering before rotation.
Mini Shai-Hulud-class npm hijacks live for 3-12 hours before takedown. pnpm 11.0 ships minimumReleaseAge=1440 (1 day) by default, Yarn 4.10 ships npmMinimalAgeGate=3d, npm v11.10 needs explicit min-release-age. Working .npmrc / pnpm-workspace.yaml / .yarnrc.yml configs and what breaks when ignore-scripts=true (esbuild, sharp, node-gyp, Cypress).
May 12: TeamPCP open-sourced the Shai-Hulud worm on GitHub. Datadog mapped its module pipeline (Loader/Provider/Collector/Dispatcher/Sender/Mutator) and Claude Code SessionStart hook for persistence. May 15: BreachForums opened a paid attack challenge. Detection notes for the copycat wave.
Malicious node-ipc 9.1.6/9.2.3/12.0.1 fire on require(), not postinstall. 12.0.1 is SHA-256 gated (targeted), so a working app isn't safe. Exfils dev/CI secrets via DNS TXT.
TanStack npm compromise (42 pkgs / 84 versions, CVE-2026-45321 CVSS 9.6) on May 11, 2026 UTC spread across UiPath (60+), Mistral, OpenSearch, guardrails-ai, Checkmarx Jenkins. Covers token-revoke wipe ordering, first valid SLSA provenance on malicious npm, and Vect ransomware secondary wave (wiper, not real ransomware). Live tracking.